In association with heise online

11 February 2008, 14:22

OpenBSD random number generator not random enough

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

According to security researcher Amit Klein, the OpenBSD, Mac OS X, Mac OS X Server, Darwin, FreeBSD, NetBSD and DragonFlyBSD pseudo random number generator (PRNG) contains vulnerabilities that enable random numbers to be guessed. This may permit cache poisoning attacks under OpenBSD if the DNS server is working as a caching server. In the other operating systems, the vulnerabilities permit identification of the operating system and determination of the network topology.

Klein discovered similar vulnerabilities in the BIND DNS server PRNG in the middle of last year. The ISC introduced a new version of the BIND9 server as a result and stopped supporting the obsolete BIND8 server. The OpenBSD development team categorised the BIND PRNG as insecure when BIND9 was introduced and replaced it in with an internally developed PRNG in OpenBSD. When the vulnerability in the BIND PRNG was discovered this seemed a smart move, as it appeared to have spared OpenBSD-BIND from cache poisoning attacks.

The PRNG is used by name servers to generate transaction IDs, intended to prevent the injection of fake DNS responses. However, the vulnerabilities discovered in the OpenBSD PRNG permit transaction IDs to be guessed. This allows an attacker, using redirects for images embedded on a web page, to divert a small number of DNS responses to a server under his control, allowing him to determine future transaction IDs and return fake address resolutions. This facilitates attacks such as phishing attacks.

Because the OpenBSD PRNG is also integrated into other operating systems, it also creates vulnerabilities in these. In a security advisory, Klein warns that Mac OS X, Mac OS X Server, Darwin, FreeBSD, NetBSD and DragonFlyBSD all use the OpenBSD PRNG to generate random IP fragmentation IDs. Since these can be guessed, idle scans with nmap become possible, allowing attackers to sniff networks.

In his security advisory, Amit Klein assesses OpenBSD 3.3. to 4.2 and possibly older versions as vulnerable to cache poisoning attacks. According to Klein the OpenBSD development team do not plan to release a software update. In a response to his notification of the bug, they apparently wrote that they were not interested in the problem, that it was in reality irrelevant - an as yet unexplained contradiction, as this it precisely why the OpenBSD programmers replaced the PRNG in their version of BIND.

Apple's security team does plan to deal with the guessable IP fragmentation IDs, but has not given a time scale for releasing an update. The bug affects Mac OS X and Server versions 10.0 to 10.5.1 and Darwin 1.0 to 9.1. The development team behind FreeBSD (versions 4.4. to 7.0 are vulnerable), NetBSD (1.6.2 to 4.0) and DragonFlyBSD (1.0 to 1.10.1) have already added patches to their version control systems, which administrators should install on their systems.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit